The year 2026 is a moment when regulatory training requirements for IT industries reach a new level of complexity. If you’re an L&D Manager, responsible for compliance, or managing IT teams in a regulated organisation, you need to know exactly: which training is mandatory, whom it affects, when it must be completed, and what penalties apply for non-compliance. This article is a complete checklist of mandatory IT training in 2026 – a practical guide to help you plan your budget, schedule, and avoid costly penalties.
Quick links
- Which regulations require IT training in 2026?
- NIS2 — training requirements and implementation deadlines
- DORA — training obligations for the financial sector
- AI Act — new AI literacy requirement in organisations
- GDPR — continuous training obligation for IT teams
- Summary table — checklist of mandatory training per regulation
- Industry requirements — finance, healthcare, energy, administration
- How to plan compliance training budget in 2026?
- Training grants — KFS and other sources
- How EITT supports organisations in meeting training requirements
- FAQ — most frequently asked questions about mandatory IT training
Which regulations require IT training in 2026?
The year 2026 is the time of full implementation of key EU regulations that impose direct training obligations on organisations. Here are the most important ones:
NIS2 (Directive on Security of Network and Information Systems) – in force since October 2024, full enforcement in 2025-2026. Requires cybersecurity training for management and IT teams in essential and important entities.
DORA (Digital Operational Resilience Act) – in force from 17 January 2025. Imposes detailed training requirements for the financial sector in digital resilience, ICT risk management, and security testing.
AI Act (Artificial Intelligence Regulation) – comes into force in stages from 2024, full implementation by 2026. Introduces AI literacy requirement for teams working with high-risk systems.
GDPR (General Data Protection Regulation) – in force since 2018, but in 2026 supervisory authorities are tightening controls and imposing higher penalties. GDPR training remains mandatory for all who process personal data.
NCA (National Cybersecurity Act) – Polish implementation of NIS2, adds national requirements for operators of essential services (OES) and digital service providers (DSP).
Additionally, the financial sector is subject to financial supervisory authority requirements, healthcare – requirements from the National Health Fund and departmental cybersecurity standards, and energy – regulations from the Energy Regulatory Office and the Polish Power Grid.
NIS2 — training requirements for organisations
The NIS2 Directive is the broadest cybersecurity regulation in the EU, covering approximately 160,000 entities in Europe, including approximately 10,000 Polish companies. Training requirements are a key element of compliance here.
Whom does NIS2 affect?
- Essential entities: energy, transport, banking, healthcare, digital infrastructure, public administration, space
- Important entities: postal services, waste management, manufacturing, digital platforms, food sector
Medium and large enterprises (50+ employees, €10+ million turnover) in these sectors are subject to NIS2.
What training does NIS2 require?
Management (C-level, board):
- Cybersecurity and risk management training
- Legal responsibility and board obligations in the context of NIS2
- Incident management and business continuity
- Frequency: at least once a year, documentation obligation
IT and cybersecurity teams:
- Cyber risk management
- Incident detection and response (CSIRT)
- Supply chain security
- Vulnerability management and patching
- Frequency: regular training, tailored to role
All employees:
- Cyberhygiene basics (phishing, passwords, social engineering)
- Secure remote working principles
- Incident reporting procedures
- Frequency: at least once a year, awareness campaigns
Deadlines and penalties
- Implementation deadline: Poland implemented NIS2 by October 2024, full enforcement in 2025-2026
- Penalties for lack of training: up to €10 million or 2% of annual turnover for essential entities, up to €7 million or 1.4% of turnover for important entities
- Documentation: Organisations must maintain training registers and prove that management has completed required courses
DORA — training requirements for the financial sector
The DORA Regulation has been in force since 17 January 2025 and is directly applicable throughout the EU, without the need for national implementation. It covers all financial sector entities: banks, insurers, investment firms, payment institutions, pension funds, credit intermediaries, and ICT service providers to this sector.
What training does DORA require?
Management and senior staff:
- ICT risk management
- Third-party risk management
- Digital resilience testing (TLPT – Threat-Led Penetration Testing)
- Business continuity management and disaster recovery planning
- Frequency: regular updates, reporting obligation to financial supervisory authority
IT and cybersecurity teams:
- ICT-related incident management
- Incident classification and reporting (according to EBA, ESMA, EIOPA)
- ICT supply chain management
- Resilience testing (penetration testing, red teaming)
- Frequency: continuous training, including advanced practical tests
Risk management teams:
- ICT risk management framework
- Cooperation with ICT service providers
- Threat intelligence sharing
- Frequency: according to internal policy, recommended every 6-12 months
Deadlines and penalties
- In force from: 17 January 2025
- Sanctions: Financial supervisory authorities can impose penalties of up to €10 million or 5% of annual turnover (for banks)
- Reporting: ICT incidents must be reported within 4 hours (initial notification), 72 hours (report), 1 month (final report)
AI Act — AI literacy obligation in organisations
The Artificial Intelligence Regulation (AI Act) introduces a new type of training obligation: AI literacy, i.e., the ability to understand and safely use AI systems.
Whom does AI Act affect?
- Organisations deploying high-risk AI systems (e.g., in recruitment, credit scoring, access control, healthcare)
- Providers of large-scale foundation models
- Organisations using general-purpose AI systems (GPAI)
What training does AI Act require?
Teams deploying high-risk AI systems:
- AI risk management
- Technical documentation and transparency
- Ethical AI principles and bias mitigation
- AI model audit and verification
- Frequency: before system deployment and regularly (every 12-24 months)
Employees using AI at work:
- AI literacy – basics of how AI systems work
- Safe use of AI tools (ChatGPT, Copilot, etc.)
- Recognising AI errors and hallucinations
- Training data management
- Frequency: at least once a year, awareness campaigns
Management:
- Strategic AI management in the organisation
- Legal responsibility for AI systems
- AI governance and compliance
- Frequency: every 12 months or with regulatory changes
Deadlines
- Ban on high-risk AI systems: 2 February 2025
- Requirements for GPAI models: August 2025
- Full implementation: 2 August 2026
GDPR — continuous training obligation for IT teams
GDPR has been in force since 2018, but in 2026 supervisory authorities are tightening controls, particularly in the context of data breaches and ransomware attacks. GDPR training remains mandatory for all who process personal data.
What training does GDPR require?
IT teams and system administrators:
- Principles of personal data protection in IT
- Processing security (encryption, pseudonymisation)
- Data breach incident management
- Cloud data protection and secure backups
- Frequency: every 12-24 months
Management:
- Data controller obligations
- Civil and criminal liability for GDPR violations
- Privacy by design and privacy by default
- Frequency: every 24 months or with organisational changes
All employees:
- GDPR basics for employees
- Recognising phishing and social engineering attempts
- Secure data processing principles
- Frequency: at least once a year
DPO (Data Protection Officer):
- Advanced GDPR training
- EXIN PDPF, PDPE, CIPP/E certification
- Frequency: continuous development, according to role requirements
Penalties
- Maximum penalties: up to €20 million or 4% of annual turnover (for the most serious violations)
- Lack of training: Supervisory authorities treat lack of training as a violation of Article 32 GDPR (security of processing)
Summary table — checklist of mandatory training per regulation
| Regulation | Whom it affects | Required training | Frequency | Implementation deadline | Penalties for non-compliance |
|---|---|---|---|---|---|
| NIS2 | Essential and important entities (energy, transport, banking, healthcare, digital infrastructure, manufacturing, postal services) | Management: cybersecurity, risk management IT teams: CSIRT, supply chain security All: cyberhygiene | At least once a year | October 2024 (national implementation) | €10 million or 2% of turnover (essential entities) €7 million or 1.4% of turnover (important entities) |
| DORA | Financial sector (banks, insurers, investment firms, payments, ICT providers) | Management: ICT risk management IT teams: resilience testing (TLPT), incident management Risk teams: third-party risk | Regular, according to internal policy | 17 January 2025 | €10 million or 5% of turnover (for banks) |
| AI Act | Organisations deploying high-risk AI, GPAI model providers | AI teams: AI risk management, documentation, model audit Employees: AI literacy Management: AI governance | Every 12-24 months | 2 August 2026 (full implementation) | €35 million or 7% of turnover (for most serious violations) |
| GDPR | All organisations processing personal data | IT teams: processing security, incident management Management: controller obligations All: GDPR basics | Every 12-24 months | In force since 2018 | €20 million or 4% of turnover |
| NCA | Operators of essential services (OES), digital service providers (DSP) | Similar to NIS2 + national requirements Management: cybersecurity management Teams: incident reporting to national CSIRT | At least once a year | Polish NIS2 implementation | Administrative penalties up to PLN 1 million |
Industry requirements — finance, healthcare, energy, administration
In addition to general regulations (NIS2, DORA, GDPR, AI Act), individual industries are subject to additional training requirements.
Financial sector
- DORA (from 2025): mandatory for all financial entities
- Financial supervisory authority recommendations: operational risk management, cybersecurity, application security training
- PSD2: secure payment authorisation (SCA) training
- AML (Anti-Money Laundering): money laundering and terrorist financing detection training
- Frequency: regular, minimum once a year
Healthcare
- NIS2: healthcare entities as essential sector
- Departmental cybersecurity standards: National Health Fund and Ministry of Health requirements
- GDPR + medical data protection: specific requirements for sensitive data (Article 9 GDPR)
- Required training: medical system security management (HIS, PACS), patient data protection, incident management
- Frequency: at least once a year for medical and IT staff
Energy
- NIS2: essential sector
- Petroleum reserves legislation: cybersecurity requirements for critical infrastructure operators
- National Grid regulations: industrial cybersecurity (ICS/SCADA) training
- IEC 62443 standards: industrial control system security standard
- Required training: OT (operational technology) security, SCADA protection, critical infrastructure risk management
- Frequency: at least once a year
Public administration
- NIS2: essential sector
- Informatisation legislation: cybersecurity obligations for public offices
- GDPR: specific requirements for public sector entities
- Required training: cybersecurity in administration, citizen data protection, incident management
- Frequency: at least once a year for IT staff and civil servants
How to plan compliance training budget in 2026?
Budget planning for training is one of the biggest challenges for L&D Managers in 2026. Here’s a practical approach:
Step 1: Map training obligations
First, determine which regulations affect your organisation:
- Are you in a sector covered by NIS2? (check the list of essential and important entities)
- Do you operate in the financial sector? (DORA)
- Are you deploying AI systems? (AI Act)
- Do you process personal data? (GDPR)
Step 2: Count how many employees require training
Example for a 500-person company (financial sector, covered by NIS2 and DORA):
| Group | Number of people | Required training | Estimated cost |
|---|---|---|---|
| Management | 10 | NIS2 + DORA + GDPR | PLN 20,000 |
| IT teams (50 people) | 50 | NIS2 + DORA + GDPR + advanced cybersecurity | PLN 100,000 |
| Compliance teams (10 people) | 10 | DORA + GDPR + security audit | PLN 25,000 |
| All employees | 500 | GDPR + cyberhygiene | PLN 50,000 |
| TOTAL | 500 | PLN 195,000 |
Cost of training for management: PLN 2,000/person (closed training, consultations) Cost of training for IT teams: PLN 2,000/person (advanced, hands-on) Cost of training for compliance: PLN 2,500/person (certifications, audit) Cost of training for employees: PLN 100/person (e-learning, campaigns)
Step 3: Include additional costs
- Certifications: EXIN (PDPF, PDPE), PECB (ISO 27001 Lead Implementer), EC-Council (CEH)
- Compliance audit: gap analysis – PLN 20,000 - 50,000
- Phishing simulations: PLN 5,000 - 15,000/year
- Legal consultations: regulation interpretation – PLN 10,000 - 30,000
Step 4: Plan the schedule
- Q1 2026: Management training (NIS2, DORA), gap analysis
- Q2 2026: IT and compliance team training
- Q3 2026: Employee training (GDPR, cyberhygiene), phishing simulations
- Q4 2026: Advanced training, certifications, audit tests
Training grants — KFS and other sources
Good news: many compliance training programmes can be co-financed from public funds.
National Training Fund (KFS)
- Co-financing amount: up to 80% of training costs, max 300% of average salary per employee
- For whom: companies employing at least 1 employee
- Conditions: training must be related to labour market needs and improve employee qualifications
- Covered training: NIS2, DORA, GDPR, cybersecurity, IT certifications
- How to apply: submit application to the District Employment Office in your region
Polish Agency for Enterprise Development (PARP)
- Skills for Business Programme: grants for digital competence training
- Co-financing amount: up to 80% of costs
- For whom: SMEs (micro, small, medium enterprises)
Training vouchers (Provincial Employment Office)
- Amount: up to PLN 5,000 per employee
- For whom: companies in selected regions
- Covered training: IT certifications, cybersecurity, compliance
Tax relief for training
- Article 26d of Personal Income Tax Act: employer can deduct up to 50% of employee training expenses from tax base
- For whom: all companies
How EITT supports organisations in meeting training requirements
EITT is a partner that understands the regulatory complexity of 2026. We offer comprehensive support for L&D Managers and compliance departments:
Our compliance training
NIS2 — Cybersecurity for management
- Legal responsibility of the board in the context of NIS2
- Cyber risk management
- Incident management and business continuity
- Format: closed training, 1-2 days
- For whom: C-level, board, IT managers
DORA — Digital resilience for the financial sector
- ICT risk management
- Third-party risk management
- Resilience testing (TLPT)
- Format: closed training, 2 days
- For whom: banks, insurers, fintech
AI Act — AI literacy and AI governance
- Basics of how AI systems work
- High-risk AI risk management
- AI governance and compliance
- Format: open and closed training, 1 day
- For whom: AI teams, management, employees
GDPR — Personal data protection in practice
- GDPR principles for IT teams
- Data processing security
- Data breach incident management
- Format: e-learning + classroom training, 1 day
- For whom: IT teams, DPO, management
Cybersecurity — practical training
- Cyberhygiene for employees
- Advanced training for IT teams (CSIRT, pentesting)
- Phishing simulations and red team exercises
- Format: e-learning, workshops, closed training
- For whom: all employees, IT teams
Our approach
- Industry customisation: We don’t sell off-the-shelf training. We tailor every programme to your sector (finance, healthcare, energy).
- Hands-on: Zero theory. We teach what you can apply immediately.
- 500+ experts: Trainers with experience at ING, mBank, PKO BP, PGE, National Health Fund.
- Reporting: You receive complete training documentation – essential for compliance audits.
- Certificates: We issue certificates of participation (training documentation requirement in NIS2, DORA).
How do we start?
- Consultation: We discuss your needs and regulations that apply to you.
- Gap analysis: We check which training is mandatory for your company.
- Training plan: We design a training schedule for 2026.
- Implementation: We deliver training (closed, open, e-learning).
- Reporting: We provide compliance documentation.
Contact EITT: eitt.pl/contact | Call: +48 22 257 22 20 Check our training: eitt.pl/trainings
EITT – 500+ experts, 2500+ training courses, 4.8/5 rating. Practical knowledge you can apply immediately.
FAQ — most frequently asked questions about mandatory IT training
Is NIS2 training mandatory for the entire board?
Yes. The NIS2 Directive imposes direct responsibility on management for ensuring organisational cybersecurity. Board members must complete training in cyber risk management and ICT security. Lack of documented training can result in penalties for both the board and the organisation.
How to prove DORA compliance during a financial supervisory authority audit?
Financial supervisory authorities require documentation of all activities related to ICT risk management, including training. You must have:
- Training registers (who, when, what training completed)
- Certificates of participation
- Internal training policies
- Resilience test reports (TLPT)
EITT provides complete training documentation, compliant with financial supervisory authority requirements.
Do small companies (up to 50 employees) have to comply with NIS2?
As a rule, NIS2 applies to medium and large enterprises (50+ employees, €10+ million turnover). However, small companies may be subject to regulation if they are the sole provider of a service in an essential sector or are critical to the functioning of the supply chain. Check your company’s status in the context of NIS2.
What penalties apply for lack of GDPR training?
Supervisory authorities treat lack of training as a violation of Article 32 GDPR (security of processing). In the case of a data breach caused by lack of employee training, supervisory authorities can impose a penalty of up to €20 million or 4% of annual turnover.
Is AI Act training already mandatory in 2026?
Yes. The AI Act enters full implementation on 2 August 2026. Organisations deploying high-risk AI systems must ensure AI literacy for their teams before system deployment. Lack of training can result in penalties of up to €35 million or 7% of turnover.
How often must cybersecurity training be renewed?
It depends on the regulation:
- NIS2: at least once a year (management and employees)
- DORA: regularly, according to internal policy (recommended every 6-12 months)
- GDPR: every 12-24 months
Additionally, we recommend awareness campaigns every quarter (e.g., phishing simulations).
Can compliance training be co-financed from KFS?
Yes. Training in NIS2, DORA, GDPR, cybersecurity, and IT certifications qualifies for co-financing from the National Training Fund (KFS). KFS covers up to 80% of training costs. You submit the application to the District Employment Office.
Summary: key conclusions for L&D Managers
The year 2026 is a compliance year for IT industries. The NIS2, DORA, AI Act, GDPR, and NCA regulations impose unprecedented training obligations, and penalties for non-compliance reach tens of millions of euros. For L&D Managers, this means the necessity of:
- Mapping training obligations – which regulations affect your organisation?
- Planning the budget – compliance training is an investment of PLN 100,000 - 500,000 per year (for companies with 500+ people)
- Implementing a training schedule – management, IT teams, all employees
- Documenting compliance – training registers, certificates, reports
EITT supports organisations throughout the entire process – from gap analysis, through training programme design, to implementation and reporting. Our experts know the specifics of your industry and understand how to translate regulatory requirements into practical training.
Don’t wait for an audit. Plan compliance training for 2026 today.
Contact EITT: eitt.pl/contact | Call: +48 22 257 22 20 Check our training: eitt.pl/trainings
EITT – 500+ experts, 2500+ training courses, 4.8/5 rating. Practical knowledge you can apply immediately.
Read Also
- DORA for the Financial Sector - Mandatory Competencies 2026
- IT Training for Banks - Financial Sector Specifics
- NIS2 Training - What Your IT Team Needs to Know
Read also
- DORA for the Financial Sector - Mandatory Competencies 2026
- AI Act and Team Competencies - How to Prepare Your Company
- Mandatory Salary Ranges – What Employers and Candidates Need to Know
Develop your skills
Want to deepen your knowledge in this area? Check out our training led by experienced EITT instructors.